I figure the above is any geek's list. It certainly would be my list. So, having completed points 1,2,3,4 already it is time to work on point 5.

So, sub-points for this are –

It must talk

It must take orders

It must drive itself

It must come when I talk to my watch

It must be bulletproof

Turboboost!

So, point 5 has been done so let’s see about the other points:

Point 1 and 2 are done by Android already but Apple has taken it to the next level. I guess Google will take it even further. Naturally you’d need an android device embedded into the car. Guess who owns android technology? Google. The first commercial car radio was made by Motorola Mobility – Google owns them. But watch Motorola Mobility for a talking “box” that can also listen, chat and take orders. (So, I’ll check off points 1 and 2...)

Finally… a smart watch – check. It needs to be able to talk to the car – check. It needs to be able to pinpoint your position – check. (Actually, not sure if these have GPS but it is not unreasonable to expect that they do or will have soon). It also needs to be able to relay orders again – check.

So, put all this technology together and you have the ability to call your car via your watch and ask it to come to you and it will – all by itself.

The technology is all done… it is just a matter of putting it together. Take the car and make it bulletproof. Put run-flat tyres on it. (And cool black paint. And a funky red LED on the front.)

Now all the Google guys have to do is perfect Turbo-boost. And get Hoff-worthy hairy chests.

I wonder if Google will go into making helicopters that can fly faster than sound…? Maybe that’s next on their list.

Monday, October 24, 2011

He was one of the most influential computer engineers ever. I could go into details as to what he did but lets look only at how his work contributed to Steve Jobs becoming a household name.

Ritchie created the C programming language and with Ken Thompson, Ritchie created the Unix Operating System.

With out Unix, Jobs would not have had a basis for his NeXT language which Apple bought bringing Jobs back into Apple and ultimately back into the CEO position.

Without Unix, Pixar would never have had Linux (derived from Unix) to do massive and cheap rendering. This means there would have been no Toy Story and all the movies that followed and no buy out from Disney.

Without Unix there would have been no base OS for iOS so no Operating System for the iMac, iPod, iPhone and iPad.

C on the other hand is the base of almost every modern programming language from C (itself) to C++ to perl to java etc etc. No Java means no apps for the idevices. It also means no cross platform applications like itunes and no way to get Office to be on both Windows and iOS without having to write the entire program to work on each. Even worse - if programs like Office were written in Assembly (as was the norm before C) then you would have to get a totally new copy of the software for every device even if you upgraded your PC from one processor to another.

To be fair if Ritchie had not created Unix or C, someone would have probably jumped in and created something similar. Or one of the languages and operating systems around in the 70s may have been more successful and changed the world we live in like Unix has but this isn't the case. Ritchie's contributions to the world have radically changed it and we will miss the inventor of these tools. It may be that Jobs was tasked with making some genious idevices up in Heaven and he called up the one guy he needed to help him more than anyone else. A heaven without Unix.... doesn't make sense.

Ps. on the other hand... Jobs's biggest competition Android would also not have been possible without Linux (based on Unix) and Java (based on C).

Wednesday, July 27, 2011

The question I posed in my last post about email sharing was triggered by Facebook stating that it is wrong for a person to mass move private details such as email addresses and telephone number etc to a new service provider without the person knowing. It is an interesting (and perhaps valid) argument which covers up what they would rather say which is "please don't move your Facebook contacts to our competition and set up an ecosystem (there must be a better word) there."

The point is that Facebook, through its partnership with Skype is forcing its users to do just what it is telling them they should not do with Google Plus.

I haven't used the Skype functionality in Facebook as yet so I'm not sure exactly how it works but from what I've read, once you use it once to chat through voice or video to a contact, it creates them as a contact in Skype. Essentially, by you chatting to someone over Facebook Video, you are creating a link to someone in Skype where one didn't exist before.

This really is very similar to what Facebook is arguing you shouldn't do by using automated ways of exporting Facebook contacts to create contacts in Google Plus.

Facebook is a business so one shouldn't be surprised when they choose profit over strange ethics but then expecting their users to abide by these ethics is a bit hypocritical.

Thursday, July 7, 2011

So, someone gives you their business card with all their details. Can you load it on Outlook to make it easier for you to contact them. Can you add them to you phonebook on your phone? What if your phone gets stolen? Can you give it to a colleague? What if the colleague has some work for the person? What if the colleague is an annoying git? Can you give it to a salesperson who is selling selling something you think the person would want? Can you give it to a salesperson just to get them off your back?

Taking things further... Facebook argues that you do not have the right to take your 'friend's details off their network and use it on another network. Obviously Facebook have a vested interest in you not being able to move information off their network and tying you down but do they have a point?

Of course, they've never had an issue before with apps sharing users' details and downloading friends' information.

But this is not to judge Facebook on their new awareness of privacy, it is to ask the question. Should someone be confident to move your personal information including you email address to any system that they want to? Or should they ask first? Or should they just not do it at all?

Friday, May 20, 2011

I really wanted to write something longer but this will do for now. I just want to get something out there that is not a tag-cloud.

Stuxnet and Spy Wars
Patrick Gray from Risky Business Podcast and Tony Olivier both spoke about a world that we are only starting to understand now where Governments are playing with Information and changing the world with their own Malware and hidden online activities. Stuxnet, Anonymous, and HBGarry are all the catchwords that made each of these presentations fascinating. Richard Thieme continued and asked the big question - what side are you on? Tony urged the attendees to spread the word about what is happening as it is the Information Security community that is best equipped to understand what the implications are. Very interesting stuff.

Online Auctions
Glenn Wilkinson did some interesting research into how online auctions can be gamed. It was very interesting and well done to him. However, I think he missed out on an important point which I would like to take further. On my way home on the first day, my head was buzzing thinking about this talk and it hit me while I was battling some traffic along Sandton Drive - our corporate information is on the Internet and is up for Auction. "Cyber-criminals" have an amount that they are willing to spend to get our information. Information Security is really just one big auction of information. APT was a term that was thrown around loosely at the conference but I think that Glenn's talk is the only talk where it wasn't mentioned (even in jest) and yet his talk would have had the best definition of APT - it is where Information Security and Cyber-Crime are locked in a "war of attrition".

Fig Leaves and Haroon's Hammer
Haroon Meer is a great talker and I enjoyed his Lessig style presentation at the end of the conference. It was great that both of the closing talks both had calls to action which makes sense. I agree wholeheartedly with the problem that Haroon builds in his talk. The one question he asked which was along the lines of: Hands up all those here who are willing to put $1000 down on the table that they can protect their CEO's Information. No hands were raised. He then went through some excuses that InfoSec professionals use and rips them apart. His one quote "Your management is one 0-day from the worst day of their lives" was re-tweeted across the world and was the most popular quote from the conference. The next bit was more important though - "... and they don't know it and you (Information Security Professionals) have a duty to inform them". The bit of the presentation that I didn't agree with was the answer that Haroon provided. Haroon is a researcher so by the law of the instrument (or Maslow's Hammer) his answer is more research. I disagree. I believe that two things are necessary to get us out of where Haroon correctly paints us - 1. A fundamental change of the Internet and 2. a realisation that Information Security is rapidly becoming less and less about technology and more about Business. More technical research is also needed but I think that it is not everything we need.

Strange Trends and New Networks
My talk was very heavily based on Information I pulled off the Internet from Blogs. If you are passionate about anything at all then you should be looking for Blogs about that subject and Information Security is no exception - there are some amazing sources out there. The talk itself went off well and I had some very positive feedback from delegates as well as some comments which is always appreciated and allows the conversation to be taken further. I started off my talk by saying that if I had all the answers I wouldn't be doing Information Security because I'd be bored. Due to time constraints, I did skip some parts of my talk that I would like to pick up in my Blog so watch out for that soon.

And so...
Another amazing conference - one that was very worthwhile and I look forward to ITWeb Security Summit 2012.

Disclaimer - you may think that because I spoke at this conference, I am biased toward liking it. The opposite it true - because I am biased to liking it, I spoke at it.

Monday, May 16, 2011

This is an updated to the previous post. I have cleaned up the data a bit. Again I left out the words "HTTP", "ITWebSec" and "RT" as these added nothing to the cloud and common English words such as "The" and "And". Including these words, there are 2307 different words. The top names (chosen by "@" in front) are: @itwebsec, @haroonmeer, @MushiD, @mattdoterasmus, @abaranov and @DeepPurple77.

The biggest ReTweeted phrase (by far) was: '@itwebsec: "Management don't know what security knows; that we're one 0day away from the worst day of their lives." #itwebsec' which is a quote from Haroon Meer's presentation.

Thursday, May 5, 2011

I've been doing a lot of thinking recently about the last year. I basically run my professional year from ITWeb Summit to ITWeb Summit and around this time I think back over the last year about what has changed and what is new.

I find that InfoSec is cyclical and this year is the unexciting one. Last year we were dealing with iPads and their ilk and Cloud and SaaS and all that good stuff was starting to hit us. This year - we are dealing with iPads and their ilk and Cloud and SaaS and all that good stuff is starting to hit us - again.

I'm still looking very forward to the Summit and I always leave with at least one very worthwhile thought that will determine my next year. The international speakers are most worthwhile to see as they bring a perspective that we, at the bottom part of Africa don't usually get. The Internet makes the World smaller but seeing someone talk is so much more useful (powerful) than reading.

While looking through my blog list for some juicy nuggets for my talk I noticed two bits of irony that came through -

1. The DBIR was published with the first line mentioning how it seems that the hacker community has gone more underground and less big hacks with large amounts of data being stolen. Boom, a couple of weeks later and Sony is hit by just one such hack.
2. Brian Krebs publishes how it may be overkill but it is a good idea to use a non-Windows system to do online banking especially for small businesses because there are no trojans aimed at these systems. His next post is all about how someone is developing a trojan crafting tool aimed at these systems.

My speech this year is finally completed (albeit in draft for now) and is a mostly updated speech that I presented 2 years ago at a smaller conference. It is still very relevant and I will enjoy presenting my insights to a larger audience.

Please look for my talk in the program and support me if you are attending.

I have committed to the organisers to post at least 1 blog post per day of the event and 1 to sum up what good stuff I got out of the conference so look out for these.

Friday, April 1, 2011

When I first started with Sudoku puzzles my interest was "how do I reduce these to an algorithm?" I wrote some code that would solve the puzzles and then started to try do it in my head.

I got better and better and the simpler puzzles started to get very boring and the harder ones became easy. Then, recently I got hold of an advanced Sudoku book and I was hooked once again.

But there was one puzzle that I just couldn't do. I would stare at the thing like it was a novel I could not put down. Hours went by and I was starting to see blocks in my sleep. So I decided to re-visit some of the online Sudoku solver sites I had used to help build my Sudoku solver. (Why not use my own solver? Its on a disk, somewhere!)

I found a good site that shows "hints" (because after all, I want to know how to solve it. If I wanted the answer, I could have just flipped to the end of the book but then I would have learnt nothing from the experience)

I typed the puzzle into the site and *boom*... a hint... yay. I was well on my way to solving the puzzle. I actually just really wanted one number and the rest all fell into place.

[The actual point of this long blog is here ;) -] Once I knew what the next number of the Sudoku was then I could work out how I should have gotten to it. But the PC showed me how it would have gotten to it and it was a totally different method altogether. Its obvious but not always on top of our mind, Computers and Humans inhabit the same world but our world view is very different.

This is why Spam gets through. This is why passwords don't work. This is why brute force does work. This is why Web-filters don't work.This is why DLP is partially effective.

Using technical controls for human created problems is what Information Security is all about. Its also something doomed to fail. Whats better? I wish I knew.

Friday, February 4, 2011

I usually don't repost blogs and articles that I find because I like this blog to my personal sounding post. The practice can also lead to a blogger feeling that he is accomplishing something but is really just posting links over and over. I have an RSS reader to do that for me, a Google to get the stuff I missed.

However, I was drafting an article on exactly this stuff (and I hate this) but the Hoff managed to beat me to it and put exactly what I was thinking on the Internet better than I could express it myself. (... and had a Douglas Adams reference too!)

Friday, January 14, 2011

So, the first thing you'll learn when doing Networking is the OSI stack even though everyone uses TCP/IP which doesn't fit neatly into the OSI concept. The first thing you'll learn in InfoSec is the CIA triangle. This is our sacred cow even though we don't really work towards it. Or do we? Should we?

If you speak to those that know me professionally, you'll know my feeling of how Information Security should treat The A. I sit in the IT building and my favorite saying is "everyone else in the building is making sure availability happens. I look after the C and the I"

The problem is that protecting Availability is very broad. It is actually easier to define the opposite - lack of availability:

If a server disk crashes who gets called in? Its not me.
If a service stops on a server?No me.

If the Firewall blocks a business website? Yep, me.

If a virus crashes the mail server or slow it down? Me.

So, I do manage availability to a point but not all of it. And, in fact I seem to manage more Availability than I should. The point is that Availability is an easy sell. IT is full of it. Check you agreements with vendors - they all have something like "99.9...% uptime" SLAs. There are no "99.9...% integrity" or "99.9..% confidential docs will not be moved". Availability can be measured - its there or it is not. Integrity and Confidentiality - not so much. Another favourite phrase of mine is "The A in SLA stands (not for agreement but stands) for availability - where is the SLI and SLC?"

The problem is that because InfoSec is traditionally based in IT - some of the Need For Availability (NFA?) seeps into our area. The tools we find easiest to sell to business - firewalls, IPS, antivirus all are there to primarily protect availability. Tools like web-filters are also very easy to sell because they stop abuse of network (think availability) and time (same). Tools like DLP are a tougher sell because they don't touch availability (and can cause issues there). Backups and DR have been the cause for some really bad C and I episodes. Yet every company does them - availability. This is not to say that backups and the other software we have are bad. Backups are essential for one but availability is king. When last did you audit all of the excel documents that people use to make business decisions for integrity?

The thing is that that C and I are opposed to A. The safest network is one that is not connected to the Internet but what use that? The way to properly secure a document is to put it in a safe, cover the safe in lead and then in concrete, chain it up for good measure and then dump it at the bottom of the ocean. But, again, what use is that? So, there is an arm wrestle between C and I on one side and A on the other and that is a good thing.

IT will always fight on the side of the "A" and so should InfoSec but we also have to fight for the C and I and ultimately get a good balance between all three.

The article goes on to say "If all 400 traffic lights need to be repaired due to theft and vandalism, it could cost about R8,8m."

So, the big question is why the JRA used normal SIM cards in their traffic lights. It was probably a cost cutting method so they can just get them off the shelf but it is backfiring for them.

A comment in the article says to glue the SIM cards in place or use resin but this doesn't seem like a great idea as it would be almost impossible to replace a SIM card that is faulty.

Maybe the answer for the JRA is to react fast. As soon as a traffic light stops reporting to the central server (which is what these SIMS are used for) then move to disable the SIM immediately. Send a team to the light to assess and re-enable it if it is a false positive.

Another comment was about using PIN codes. But these would end up either being easy to guess "1234" "0000" etc; well known "Jack the JRA last week, now we need to redo all 400 PIN codes" or a mission to manage "Did anyone see the spreadsheet with PIN codes?" Even 1 PIN number is too much for some people to manage.

It seems that the SIM cards are well protected in the traffic lights because it takes the scum thieves a lot of destructive work to get to them so that is not a deterrent. The only option I can think of is to make the SIM cards useless to anyone but the JRA either by using special cards or by the above "react quickly" method.

Surely these SIM cards must be connecting to a private APN. (This is the gov. so this assumption is not a certainty). In which case they should have been disabled on the normal GSM APN. Problem solved.

One wonders how much the cellphone bills that were clocked up came to.